Raebae1979 / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

User always allowed at least one attempt at challenge question #654

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Enter sufficient bad passwords or bad answers to challenge questions to 
cause an LDAP directory lockout.
2. Close browser
3. Open browser and navigate to forgotten password
4. Search for email address
5. User is presented with a challenge question
6. If the user answers the challenge question incorrectly, he/she is advised 
that he/she is locked out.

What is the expected output? Given that the user is locked out, he/she should 
not be allowed to try a challenge question at step 5. This should only be 
allowed after the lockout period has expired.

What do you see instead? The user sees a challenge question every time he/she 
restarts the browser and navigates to the forgotten password page.

What version of PWM are you using? 1.7.1

What ldap directory and version are you using? Active Directory Windows 2008.

Comment and proposed solution:

It seems clear that the forgotten password servlet in 1.7.1 allows the 
presentation of a challenge question immediately after a successful user 
search. Only after such a question is answered incorrectly does PWM see that 
the user is locked out. There is a test following the user search process, but 
this test only determines whether or not a user has been found.

To correct the logic, as second test needs to be added. The LDAPChaiUser 
object's IS_LOCKED attribute should be checked and the user should be advised 
and an error thrown if the attribute is true.

This is a moderately serious bug as it allows unlimited attempts at the 
challenge questions which may be more guessable than passwords. Limiting the 
number of attempts at challenge questions should be a matter of policy.

Please paste any error log messages below: N/A - there is no error.

Original issue reported on code.google.com by michaelc...@gmail.com on 17 Feb 2015 at 9:57